[Samba] Re: Domain SID does not match built in domain groups SIDs...
You are correct. I have users and groups with the correct domain SID, but there are a few groups that have the wrong domain SID and I want to correct them. I ended up just stopping the Samba daemon and editing the bad groups' SIDs with and LDAP editor. It may have not been as safe as your way, but it seems to have worked. Thank you for helping! Jamrock wrote: Jason Shaw [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid I do not want to change the domain or the server SID. Doing so would invalid the users I have already entered. I just want to fix a couple of groups that have bad SIDs. It sounds as if you are saying that the users have the same SID as the domain. However some groups have incorrect SID's. If you are keeping the POSIX and Windows user information in LDAP, you can do the following: Make a backup of the folder containing the ldap data. Use ldapsearch to export the contents of the ldap directory to a file. This provides a second backup Use ldapsearch to dump the group information to a file. Modify the SID information in the second (group) file and use ldapmodify to bring the correct information back into the ldap directory. This is based on the assumption that the domain's SID is correct and the users' SID's are correct. Only the groups' SID's are incorrect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups SIDs...
Jason Shaw [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid I do not want to change the domain or the server SID. Doing so would invalid the users I have already entered. I just want to fix a couple of groups that have bad SIDs. It sounds as if you are saying that the users have the same SID as the domain. However some groups have incorrect SID's. If you are keeping the POSIX and Windows user information in LDAP, you can do the following: Make a backup of the folder containing the ldap data. Use ldapsearch to export the contents of the ldap directory to a file. This provides a second backup Use ldapsearch to dump the group information to a file. Modify the SID information in the second (group) file and use ldapmodify to bring the correct information back into the ldap directory. This is based on the assumption that the domain's SID is correct and the users' SID's are correct. Only the groups' SID's are incorrect. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups SIDs...
Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid I do not want to change the domain or the server SID. Doing so would invalid the users I have already entered. I just want to fix a couple of groups that have bad SIDs. Looking through the IDEALX scripts, it appears that I can just edit these SIDs with an LDAP editor; they appear to only modify the LDAP, no other Samba files (secrets.tdb, etc). But I'm not certain and do not want to proceed until I know I won't screw myself over by doing so. Does anyone see anything wrong with this? Should I just delete these groups and recreate them? Would that be a more smart way? Thank you, Jason -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Domain SID does not match built in domain groups' SIDs...
Would remapping them correct the SIDs? Can I just use a LDAP editor and manually change the SID to what it should be without screwing up other things? To my understanding, all the important Samba data is stored in LDAP. So I shouldn't have to worry about the contents of smbpasswd, secrets.tdb, or anything of that nature, right? Given I can just edit the SIDs, I do know that I may have to restart the SMB daemon, rejoin some users to groups, correct the local administrators group on workstations, etc. I understand the clean up, I don't want to ruin anything else that's not a simple text edit or command call. There is a utility that allows you to change the domain's SID. Search the archives and the documentation for net setlocalsid -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
